s4:dns_server: only allow gss-tsig and gss.microsoft.com for TSIG

author Stefan Metzmacher <metze@samba.org>

Fri, 31 May 2024 06:38:24 +0000 (08:38 +0200)

committer Jule Anger <janger@samba.org>

Wed, 3 Jul 2024 08:48:11 +0000 (08:48 +0000)
author Stefan Metzmacher <metze@samba.org>
Fri, 31 May 2024 06:38:24 +0000 (08:38 +0200)
committer Jule Anger <janger@samba.org>
Wed, 3 Jul 2024 08:48:11 +0000 (08:48 +0000)
diff --git a/source4/dns_server/dns_crypto.c b/source4/dns_server/dns_crypto.c

index be79a4e87b75e085d107f7afbe49f2c4540486ec..332d2255dd436620595c0dd6913f5611100c4a89 100644 (file)
--- a/source4/dns_server/dns_crypto.c
+++ b/source4/dns_server/dns_crypto.c
@@ -106,7 +106,7 @@ WERROR dns_verify_tsig(struct dns_server *dns,
         struct dns_server_tkey *tkey = NULL;
         struct dns_fake_tsig_rec *check_rec = talloc_zero(mem_ctx,
                         struct dns_fake_tsig_rec);
-
+       const char *algorithm = NULL;
  
         /* Find the first TSIG record in the additional records */
         for (i=0; i < packet->arcount; i++) {
@@ -161,6 +161,16 @@ WERROR dns_verify_tsig(struct dns_server *dns,
         }
         DBG_DEBUG("dns_find_tkey() => found\n");
  
+       algorithm = state->tsig->rdata.tsig_record.algorithm_name;
+       if (strcmp(algorithm, "gss-tsig") == 0) {
+               /* ok */
+       } else if (strcmp(algorithm, "gss.microsoft.com") == 0) {
+               /* ok */
+       } else {
+               state->tsig_error = DNS_RCODE_BADKEY;
+               return DNS_ERR(REFUSED);
+       }
+
         /*
          * Remember the keyname that found an existing tkey, used
          * later to fetch the key with dns_find_tkey() when signing
author	Stefan Metzmacher <metze@samba.org>
	Fri, 31 May 2024 06:38:24 +0000 (08:38 +0200)
committer	Jule Anger <janger@samba.org>
	Wed, 3 Jul 2024 08:48:11 +0000 (08:48 +0000)